Skip to content

Commit

Permalink
ci: pin all GH Actions (#12619)
Browse files Browse the repository at this point in the history 
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
  • Loading branch information
@agilgur5
agilgur5 committed Feb 5, 2024
1 parent e771bde commit 6ba7401
Show file tree
Hide file tree
Showing 9 changed files with 66 additions and 61 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/changelog.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,15 @@ jobs:
pull-requests: write # for peter-evans/create-pull-request to create a PR
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
fetch-depth: 0
- run: git fetch --prune --prune-tags
- run: git tag -l 'v*'
# avoid invoking `make` to reduce the risk of a Makefile bug failing this workflow
- run: ./hack/changelog.sh > CHANGELOG.md
- uses: peter-evans/create-pull-request@v5
- uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
with:
title: 'docs: updated CHANGELOG.md'
commit-message: 'docs: updated CHANGELOG.md'
Expand Down
47 changes: 26 additions & 21 deletions .github/workflows/ci-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,12 @@ jobs:
ui: ${{ steps.changed-files.outputs.ui_any_modified == 'true' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 50 # assume PRs are less than 50 commits
- name: Get relevant files changed per group
id: changed-files
uses: tj-actions/changed-files@v41
uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
with:
files_yaml: |
common: &common
Expand Down Expand Up @@ -87,6 +87,8 @@ jobs:
- *tests
# plus lint config
- .golangci.yml
# all GH workflows / actions
- .github/workflows/**
# docs files below
- docs/**
# generated files are covered by codegen
Expand All @@ -113,8 +115,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
Expand All @@ -131,8 +133,8 @@ jobs:
runs-on: windows-2022
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
Expand All @@ -147,10 +149,10 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build and export
uses: docker/build-push-action@v5
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
tags: quay.io/argoproj/argoexec:latest
Expand All @@ -159,7 +161,7 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Upload
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: argoexec
path: /tmp/argoexec_image.tar
Expand Down Expand Up @@ -210,21 +212,21 @@ jobs:
steps:
- name: Install socat (needed by Kubernetes v1.25)
run: sudo apt-get -y install socat
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
- name: Install Java for the SDK
if: ${{matrix.test == 'test-java-sdk'}}
uses: actions/setup-java@v4
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
with:
java-version: '8'
distribution: adopt
cache: maven
- name: Install Python for the SDK
if: ${{matrix.test == 'test-python-sdk'}}
uses: actions/setup-python@v5
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '3.x'
cache: pip
Expand All @@ -243,7 +245,7 @@ jobs:
echo " token: xxxxxx" >> $KUBECONFIG
until kubectl cluster-info ; do sleep 10s ; done
- name: Download argoexec image
uses: actions/download-artifact@v3
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: argoexec
path: /tmp
Expand Down Expand Up @@ -340,8 +342,8 @@ jobs:
env:
GOPATH: /home/runner/go
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
Expand Down Expand Up @@ -377,15 +379,18 @@ jobs:
env:
GOPATH: /home/runner/go
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
cache: true
- run: make lint STATIC_FILES=false
# if lint makes changes that are not in the PR, fail the build
- name: Check if lint made changes not present in the PR
run: git diff --exit-code
# lint GH Actions
- name: Ensure GH Actions are pinned to SHAs
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3

ui:
name: UI
Expand All @@ -396,8 +401,8 @@ jobs:
env:
NODE_OPTIONS: --max-old-space-size=4096
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: "20" # change in all GH Workflows
cache: yarn
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-reviewer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v1.6.0
uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve PR
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/docs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.9
- uses: actions/setup-go@v5
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- uses: actions/setup-node@v4
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: "19"
# Use the same make target both locally and on CI to make it easier to debug failures.
Expand All @@ -37,7 +37,7 @@ jobs:
run: git diff --exit-code
# Upload the site so reviewers see it.
- name: Upload Docs Site
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: docs
path: site
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check PR Title's semantic conformance
uses: amannn/action-semantic-pull-request@v5
uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
48 changes: 24 additions & 24 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,18 +29,18 @@ jobs:
platform: [ linux/amd64, linux/arm64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
with:
version: v0.10.4

- name: Cache Docker layers
uses: actions/cache@v3
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
id: cache
with:
path: /tmp/.buildx-cache
Expand All @@ -49,13 +49,13 @@ jobs:
${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-
- name: Docker Login
uses: docker/login-action@v3
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Docker Login
uses: docker/login-action@v3
- name: Login to Quay
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -97,15 +97,15 @@ jobs:
if: github.repository == 'argoproj/argo-workflows'
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -147,22 +147,22 @@ jobs:
runs-on: ubuntu-latest
needs: [ build-linux, build-windows ]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}

- name: Install cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
with:
cosign-release: 'v1.13.0'

Expand Down Expand Up @@ -211,13 +211,13 @@ jobs:
target: [ workflow-controller, argocli, argoexec ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -245,13 +245,13 @@ jobs:
needs: [ push-images ]
steps:
- name: Docker Login
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
username: ${{ secrets.DOCKERIO_USERNAME }}
password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
uses: Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
Expand Down Expand Up @@ -284,20 +284,20 @@ jobs:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: "20" # change in all GH Workflows
- uses: actions/setup-go@v5
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- name: Restore node packages cache
uses: actions/cache@v3
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
with:
path: ui/node_modules
key: ${{ runner.os }}-node-dep-v1-${{ hashFiles('**/yarn.lock') }}
- name: Install cosign
uses: sigstore/cosign-installer@main
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
with:
cosign-release: 'v1.13.0'
# https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
Expand Down Expand Up @@ -340,7 +340,7 @@ jobs:
# If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
# of this action.
# Instead, delete the release so it is re-created.
- uses: softprops/action-gh-release@v1
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
if: startsWith(github.ref, 'refs/tags/v')
with:
prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sdks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
- java
- python
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: make --directory sdks/${{matrix.name}} publish -B
env:
JAVA_SDK_MAVEN_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
Expand Down

0 comments on commit 6ba7401

Please sign in to comment.